If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How does an antivirus program work?

I have searched google, but nothing worth while comes up, and I've searched the forums, but I haven't found an answer to this question: How does an antivirus program actually work?

If someone knows of a thread or tutorial/lecture that has the answer, please post it(I like to learn/figure things out on my own most times. However, this time I think I need a hint or two, he he). Otherwise, if one of you has the answer, that would be greatly appreciated too. Thanks for your time.

1. Pattern or signature matching................looking for strings in the code.
2. Heuristics................looking for potentially harmful instructions in the code, or even the prescence of executables such as macros.
3. Behavioural analysis.................waiting for it to try to "do" something and intercepting that.
4. Sandboxing......................making stuff run in an environment where it cannot access critical parts of the system. Deleting everything on logoff.
5. Checksumming..................detecting changes to existing files, basically length and date last altered.
6. New arrivals analysis...........basically looks for new processes, startups, services etc. This is similar to #3 but is more aimed at stuff with time & date triggers, that #3 would miss.

Now if you want to talk about "Security Suites", which is what you see these days more than the traditional AV products, I could add quite a few more.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

If you take an executable file in Windows (pick a small one) you have an "executable".............. these are not just .exe extensions by the way, .com .reg .scr and so on, are all executable if you have the correct program linked to them.

Copy the file and change the extension to .txt, then open it in notepad. You will be looking at the binary executable. You will see bits in plain English, so you can see that it would be easy to spot something like "rat scabies and the runnin s0rez reking krew" for example. This would obviously be in exactly the same position within the virus code, so the search would be quick.

Other strings would be calls and commands associated with the virus' activities.

Other clues would be IP addresses and telephone numbers hard coded into the virus?

This is coupled with whether the virus is known to append, prepend or insert.

Append: would be GOOD CODEvirusPrepend: virusGOOD CODE
Insert: GOODvirusCODE

So you would know at exactly which positions to look for particular characters.

2. Heuristics

Now, we know that we will get the nasty as a binary executable, which has been compiled from a more understandable higher level programming language?

The HLL doesn't really matter, as we are passing the actual instructions in machine code? so if I create the instruction to fdisk c:\ that will look the same in binary, no matter where it came from at the higher level?

Heuristics look for instructions that are out of place or potentially harmful, this would include file changes, Registry edits, registering services, starting services, and so on.

That is a very lightweight answer, but I cannot write a several thousand word paper on a forum

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

hey Nihil
i have opened so many executable files in notepad and found most lines unreadable . .. It means av perform search like dis . .. ur information is quite interesting i didnt knw tht, but i wondered how av finds anything in an executable file.
tnks alot for sharin9.

Hi Alok as I said, that was a lightweight answer................. Tedob1 is quite correct, the AV uses proper programming tools.

The reason I suggested notepad was that it shows you the compiled binary (which looks like a load of nonsense) and the comments and metadata in plain text, so they sort of stand out? I just wanted you to get a general idea of what non-essential strings looked like.

Whilst I am on the subject, viruses are generally a bundle of software that does a variety of things. AVs frequently find "common code" such as droppers, which virus authors re-use.

I will tell you a little story about notepad...............

A number of years ago I was working on a site where I felt that security was not being taken seriously, if at all.

So I wrote this little .reg file (4 lines as I recall) and attached it to their logon script one morning..............it modified their Registries so that certain executables would open by default in notepad.

A few months later, the "Lovebug" or "I love you" virus came out, and spread Worldwide? ..............I received several telephone calls asking about this "strange stuff on their screens".............I told them they had just opened a virus attachment in their e-mail, and they all asked what they should do......my reply was:

"Correct the little pillock's spelling mistakes, beef up the payload, and send it to someone who really deserves it"

I got a reputation for being somewhat "kewl"

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Hehe, Nihil wasn't clear...he was kind of making an analogy. Opening executables in Notepad won't show you much of anything useful. The idea is the AV scanner looks at the data looking for strings it knows are suspect or malicious (signatures) or commands, functions, or instructions that are "questionable".

That was a lightweight answer. If you really want to get further into it, you'll have to get some serious experience and education.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore